Showing results for 
Search instead for 
Did you mean: 

Rogue AP Contain on SSID questions and issues

Level 1
Level 1

My ultimate goal is that I want to be able to contain rogue AP's that are detected broadcasting (spoofing) SSID's that our controller is broadcasting.


I see that this can easily be done at: Security>Wireless Protection Policies>Rogue Polices>General>Auto Contain> Check box = Using our SSID = enabled.


I tested this above setting and it seems to work: in my test I set up an un-managed AP broadcasting one of our SSID's and our WLC detected the AP as a rogue and classified as malicious and began to contain. Perfect.


HOWEVER, here is the issue: we share our building with another organization and we both broadcast our Public wireless network using the same SSID so that guests in our building can use a single SSID for wireless access.


The by using the above setting of Auto Contain on "Using our SSID" we inadvertently blocked the AP's of the other organization broadcasting the Public wireless SSID.


Now my question is how can I auto contain on specific SSID's we broadcast and not on others such as the Public SSID?  I have tried to create a rogue rule and specify an SSID, but this results in an error that states: " Condition Failed: SSID Exists in WLAN Configuration.


How, can I make this work?

2 Replies 2


you may try to classify the shared organizations AP's as "friendly rogue access points" before you enable AP containment

but then again, when this party decides to add an acces-point, you also need to add this as a friendly rogue..

In my opinion auto-containment is not a very useful option.

VIP Alumni
VIP Alumni
I don't know in which country you live, but in most countries it's forbidden to disturb a foreign wireless network.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card